Add POST /api/v1/password endpoint accepting a JSON body
(username, old_password, new_password) protected by a shared
Bearer token (CHANGE_API_SECRET / -change-api-secret). It verifies
the current password via an LDAP bind before applying the change,
matching the alps "password" plugin bearer flow.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SHA-512 crypt has no 72-char truncation like bcrypt, but an unbounded
password length allows DoS via CPU exhaustion. Caps input at 128 chars
and adds unit tests for boundary conditions in checkPasswdConstraint.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>